Skip to content
Threat Feed
medium advisory

CVE-2026-8854 — IBM HTTP Server mod_mem_cache Denial-of-Service

IBM HTTP Server 8.5 and 9.0 are vulnerable to a denial-of-service (DoS) attack due to a flaw in the optional `mod_mem_cache` module that can be triggered remotely.

IBM HTTP Server versions 8.5 and 9.0 are susceptible to a denial-of-service vulnerability identified as CVE-2026-8854. The vulnerability lies within the optional mod_mem_cache module, which, when enabled, allows an attacker to potentially exhaust server resources, leading to a DoS condition. This module is not enabled by default, reducing the overall attack surface. The vulnerability stems from an expired pointer dereference (CWE-825) which can be triggered remotely, impacting the availability of the web server.

Attack Chain

  1. The attacker identifies a target IBM HTTP Server running versions 8.5 or 9.0 with the mod_mem_cache module enabled.
  2. The attacker sends a series of crafted HTTP requests to the server.
  3. These requests are designed to interact with the mod_mem_cache module in a way that triggers the vulnerability.
  4. The crafted requests cause the mod_mem_cache module to attempt to dereference an expired pointer.
  5. This invalid memory access leads to a crash within the HTTP server process.
  6. The repeated crashing of the HTTP server processes leads to a denial-of-service condition, preventing legitimate users from accessing the server.

Impact

Successful exploitation of this vulnerability can result in a denial-of-service condition, rendering the IBM HTTP Server unavailable. This can disrupt business operations, impacting web services and applications that rely on the affected server. The severity is rated as High with a CVSS v3.1 score of 7.5, indicating a significant risk to organizations using the affected IBM HTTP Server versions.

Recommendation

  • Disable the mod_mem_cache module if it is not required for your specific configuration to mitigate the risk.
  • Apply the patch or upgrade to a fixed version of IBM HTTP Server as provided by IBM to remediate CVE-2026-8854 (reference: https://www.ibm.com/support/pages/node/7274065).
  • Monitor web server logs for unusual activity and patterns indicative of denial-of-service attacks; deploy the Sigma rule for this CVE to detect exploit attempts.
  • Implement rate limiting and request filtering to mitigate potential denial-of-service attacks against the web server.

Detection coverage 2

Detects CVE-2026-8854 Exploitation Attempt — High Request Rate to Web Server

medium

Detects CVE-2026-8854 exploitation attempt — monitors for an abnormally high number of requests to the web server from a single source IP address within a short time frame, potentially indicating a denial-of-service attack.

sigma tactics: availability techniques: T1499.001 sources: webserver

Detects CVE-2026-8854 Exploitation Attempt — Multiple 5xx Errors

low

Detects CVE-2026-8854 exploitation attempt — monitors for a surge in 5xx server errors on the web server, possibly indicating crashes due to the vulnerability being exploited.

sigma tactics: availability techniques: T1499.001 sources: webserver

Detection queries are available on the platform. Get full rules →